CVE-2023-35162

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 6.1-rc-1 through 14.10.4 XWiki Platform versions 15.1-rc-1 and earlier

Description The issue allows users to forge a URL with a payload that injects Javascript into the page, enabling a cross-site scripting (XSS) attack. This can be achieved by exploiting the previewactions template. For example, using a URL such as <hostname>/xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=previewactions.vm&xcontinue=javascript:alert(document.domain). The vulnerability has been present since XWiki 6.1-rc-1.

Recommendations For XWiki Platform versions 6.1-rc-1 through 14.10.4, update to version 14.10.5 or later. For XWiki Platform versions 15.1-rc-1 and earlier, update to version 15.1 or later. As a temporary workaround, consider editing the previewactions.vm template to perform checks on it, but note that the appropriate fix involves new APIs recently introduced in XWiki.